An x64 Linux bootkit that performs hardware spoofing and virtualbox hardening.

x0 is a hardware spoofing and virtualbox hardening solution that consists of 4 main components:

• Kernel Driver
• Bootkit Loader (UEFI Application)
• UEFI Bootkit (UEFI Runtime Driver)
• Userspace Command-line Companion Program

Only 2 of these components are crucial for x0 to work properly (UEFI bootkit and bootkitloader), the kernel driver is optional as it just provides extra features for the userspace client. The main purpose for the userspace client is for debugging the states of UEFI data structures post OS-boot, and other things.

On execution, the bootkit loader does 3 main things:

• Validate the UEFI driver (Check for invalid signatures, etc)
• Map the UEFI driver into memory and execute it
• Chainload BOOTX64

When the bootkit gets loaded, it performs of series of tasks depending on how it's configured:

• Hooking GetVariable and SetVariable via swapping pointers in the system table, and then updating the CRC32 checksum
• Creating an event for SetVirtualAddressMap which calls gRT->ConvertPointer(...) to convert the pointer of the original GetVariable and SetVariable to virtual mode
• Scans the configuration tables in the system table (Depending on configuration)
• If the table gets found, then the bootkit will patch it (Depending on configuration)

At the end of all of this, BOOTX64 will be chainloaded so that we can boot into the OS.

• Patching SMBIOS tables
• Spoofing SecureBoot status
• Modification of UEFI variables containing data that could be used to detect a VirtualBox instance

• Locating the address of the UEFI runtime service table
• Locating the address of the SMBIOS table in kernel virtual memory
• Dumping and parsing the contents of the UEFI runtime service table

As of now the UEFI driver itself should work on Windows as well, but it may not be able to spoof SecureBoot. The bootkit can also be used for Windows, but you might have to edit the path to the bootloader that the bootkit loader will chainload. (src/loader/EfiLoad.h)

The bootkit itself can be loaded individually and used to get around hardware-based bans on some games, however in the case that someone gets banned for using the bootkit to evade a ban for a game, I am not responsible for that. You have been warned.

• C

First, take a look at this tutorial from OSdev on how to setup EDK2: https://wiki.osdev.org/EDK2

Once you're done with that, make sure that you git clone this repository within the EDK2 directory, and add the paths to the .inf files in the src directory of the x0 folder into the [Components] section in MdeModulePkg/MdeModulePkg.dsc

Once EDK2 is properly setup, you can compile x0 by executing the following script:

• ./build.sh

In order to install the bootkit (and load it), follow these instructions:

• Copy the compiled bootkit and bootkit loader (x0.efi and x0loader.efi) into the EFI System Partition (AKA /boot/efi/EFI)
• Execute systemctl --firmware-setup reboot
• Select the boot manager option and then select the 'EFI Shell' option
• Once booted in the EFI shell, enter the fs0 mapping by running fs0:
• Execute the following commands:
  • cd EFI
  • x0loader.efi
• The bootkit loader will load the bootkit and then boot into the OS

• ./x0client [-h, --help]

https://github.com/xmmword